Distribute read requests amongst the available Key Trustee Servers. Only effective when a passive server is specified.

cloudera.trustee.keyprovider.roundrobin

false

cloudera_trustee_keyprovider_roundrobin

false

Flume Proxy User Groups

Allows the flume superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.flume.groups

*

hadoop_kms_proxyuser_flume_groups

false

Flume Proxy User Hosts

Comma-delimited list of hosts where you want to allow the flume user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.flume.hosts

*

hadoop_kms_proxyuser_flume_hosts

false

HDFS Proxy User Groups

Allows the hdfs superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.hdfs.groups

*

hadoop_kms_proxyuser_hdfs_groups

false

HDFS Proxy User Hosts

Comma-delimited list of hosts where you want to allow the hdfs user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.hdfs.hosts

*

hadoop_kms_proxyuser_hdfs_hosts

false

Hive Proxy User Groups

Allows the hive superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.hive.groups

*

hadoop_kms_proxyuser_hive_groups

false

Hive Proxy User Hosts

Comma-delimited list of hosts where you want to allow the hive user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.hive.hosts

*

hadoop_kms_proxyuser_hive_hosts

false

HTTP Proxy User Groups

Allows the HTTP superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.HTTP.groups

*

hadoop_kms_proxyuser_HTTP_groups

false

HTTP Proxy User Hosts

Comma-delimited list of hosts where you want to allow the HTTP user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.HTTP.hosts

*

hadoop_kms_proxyuser_HTTP_hosts

false

HttpFS Proxy User Groups

Allows the httpfs superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.httpfs.groups

*

hadoop_kms_proxyuser_httpfs_groups

false

HttpFS Proxy User Hosts

Comma-delimited list of hosts where you want to allow the httpfs user to impersonate other users. The default '*' allows all hosts.
To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.httpfs.hosts

*

hadoop_kms_proxyuser_httpfs_hosts

false

Hue Proxy User Groups

Allows the hue superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.hue.groups

*

hadoop_kms_proxyuser_hue_groups

false

Hue Proxy User Hosts

Comma-delimited list of hosts where you want to allow the hue user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.hue.hosts

*

hadoop_kms_proxyuser_hue_hosts

false

Mapred Proxy User Groups

Allows the mapred superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.mapred.groups

*

hadoop_kms_proxyuser_mapred_groups

false

Mapred Proxy User Hosts

Comma-delimited list of hosts where you want to allow the mapred user to impersonate other users. The default '*' allows all hosts.
To disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.mapred.hosts

*

hadoop_kms_proxyuser_mapred_hosts

false

Oozie Proxy User Groups

Allows the oozie superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.oozie.groups

*

hadoop_kms_proxyuser_oozie_groups

false

Oozie Proxy User Hosts

Comma-delimited list of hosts where you want to allow the oozie user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.oozie.hosts

*

hadoop_kms_proxyuser_oozie_hosts

false

YARN Proxy User Groups

Allows the yarn superuser to impersonate any members of a comma-delimited list of groups. The default '*' allows all groups. To
disable entirely, use a string that doesn't correspond to a group name, such as '_no_group_'.

hadoop.kms.proxyuser.yarn.groups

*

hadoop_kms_proxyuser_yarn_groups

false

YARN Proxy User Hosts

Comma-delimited list of hosts where you want to allow the yarn user to impersonate other users. The default '*' allows all hosts. To
disable entirely, use a string that doesn't correspond to a host name, such as '_no_host'.

hadoop.kms.proxyuser.yarn.hosts

*

hadoop_kms_proxyuser_yarn_hosts

false

Key Trustee KeyStoreProvider Directory

Directory to the keystore file used by Key Trustee KeyStoreProvider that backs the KMS.

hadoop.kms.key.provider.uri

/var/lib/kms-keytrustee

hadoop_security_key_provider_dir

true

Key Trustee KeyStoreProvider Configuration Directory

Directory to store configuration of keystore file used by Key Trustee KeyStoreProvider that backs the KMS.

keytrustee.kms.key.provider.conf.uri

/var/lib/kms-keytrustee/keytrustee

keytrustee_security_key_provider_conf_dir

true

KMS Blacklist Users

A comma-separated list of users (no spaces) for whom to disallow access to key material. These users can still fetch key metadata and
create encrypted encryption keys, but are unable to do any other KMS operations. Typically, HDFS superusers will be specified here.

kms_blacklist_users

kms_blacklist_users

false

KMS Heap Size

Maximum heap size of the KMS.

kms_heap_size

1 GiB

kms_heap_size

true

KMS Max Threads

Maximum number of threads used to handle KMS requests.

kms_max_threads

250

kms_max_threads

false

KMS Staging Directory

Directory where configuration and binaries are staged before starting KMS. Does not normally need to be modified.

kms_staging_dir

/var/lib/keytrustee-kms

kms_staging_dir

true

Performance

Display Name

Description

Related Name

Default Value

API Name

Required

Maximum Process File Descriptors

If configured, overrides the process soft and hard rlimits (also called ulimits) for file descriptors to the configured value.

rlimit_fds

false

Ports and Addresses

Display Name

Description

Related Name

Default Value

API Name

Required

KMS Admin Port

Port used to access the KMS' embedded Tomcat admin console.

kms_admin_port

16001

kms_admin_port

true

KMS HTTP Port

Port used by clients to interact with the KMS.

kms_http_port

16000

kms_http_port

true

Resource Management

Display Name

Description

Related Name

Default Value

API Name

Required

Cgroup CPU Shares

Number of CPU shares to assign to this role. The greater the number of shares, the larger the share of the host's CPUs that will be
given to this role when the host experiences CPU contention. Must be between 2 and 262144. Defaults to 1024 for processes not managed by Cloudera Manager.

cpu.shares

1024

rm_cpu_shares

true

Cgroup I/O Weight

Weight for the read I/O requests issued by this role. The greater the weight, the higher the priority of the requests when the host
experiences I/O contention. Must be between 100 and 1000. Defaults to 1000 for processes not managed by Cloudera Manager.

blkio.weight

500

rm_io_weight

true

Cgroup Memory Hard Limit

Hard memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages
charged to the process. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use a value of -1 B to specify no limit. By default
processes not managed by Cloudera Manager will have no limit.

memory.limit_in_bytes

-1 MiB

rm_memory_hard_limit

true

Cgroup Memory Soft Limit

Soft memory limit to assign to this role, enforced by the Linux kernel. When the limit is reached, the kernel will reclaim pages
charged to the process if and only if the host is facing memory pressure. If reclaiming fails, the kernel may kill the process. Both anonymous as well as page cache pages contribute to the limit. Use
a value of -1 B to specify no limit. By default processes not managed by Cloudera Manager will have no limit.

memory.soft_limit_in_bytes

-1 MiB

rm_memory_soft_limit

true

Security

Display Name

Description

Related Name

Default Value

API Name

Required

Key Management Server Proxy TLS/SSL Certificate Trust Store File

The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that Key Management
Server Proxy might connect to. This is used when Key Management Server Proxy is the client in a TLS/SSL connection. This trust store must contain the certificate(s) used to sign the service(s)
connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.

ssl_client_truststore_location

false

Key Management Server Proxy TLS/SSL Certificate Trust Store Password

The password for the Key Management Server Proxy TLS/SSL Certificate Trust Store File. This password is not required to access the
trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.

The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when Key Management
Server Proxy is acting as a TLS/SSL server. The keystore must be in JKS format.

ssl_server_keystore_location

false

Key Management Server Proxy TLS/SSL Server JKS Keystore File Password

The password for the Key Management Server Proxy JKS keystore file.

ssl_server_keystore_password

false

Suppressions

Display Name

Description

Related Name

Default Value

API Name

Required

Suppress Configuration Validator: CDH Version Validator

Whether to suppress configuration warnings produced by the CDH Version Validator configuration validator.

false

role_config_suppression_cdh_version_validator

true

Suppress Parameter Validation: Key Trustee Server Auth Code

Whether to suppress configuration warnings produced by the built-in parameter validation for the Key Trustee Server Auth Code
parameter.

false

role_config_suppression_cloudera_trustee_keyprovider_auth

true

Suppress Parameter Validation: Active Key Trustee Server

Whether to suppress configuration warnings produced by the built-in parameter validation for the Active Key Trustee Server
parameter.

false

role_config_suppression_cloudera_trustee_keyprovider_hostname-active

true

Suppress Parameter Validation: Passive Key Trustee Server

Whether to suppress configuration warnings produced by the built-in parameter validation for the Passive Key Trustee Server
parameter.

false

role_config_suppression_cloudera_trustee_keyprovider_hostname-passive

true

Suppress Parameter Validation: Key Trustee Server Org Name

Whether to suppress configuration warnings produced by the built-in parameter validation for the Key Trustee Server Org Name
parameter.

service_wide

Advanced

For advanced use only, key-value pairs (one on each line) to be inserted into a role's environment. Applies to configurations of all
roles in this service except client configuration.

KEYTRUSTEE_service_env_safety_valve

false

System Group

The group that this service's processes should run as.

kms

process_groupname

true

System User

The user that this service's processes should run as.

kms

process_username

true

Monitoring

Display Name

Description

Related Name

Default Value

API Name

Required

Enable Configuration Change Alerts

When set, Cloudera Manager will send alerts when this entity's configuration changes.

false

enable_config_alerts

false

Other

Display Name

Description

Related Name

Default Value

API Name

Required

ZooKeeper Authentication Type for Secret Signer

ZooKeeper Authentication for Secret Signer. Can be either "none" or "sasl"

hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type

none

hadoop_kms_authentication_signer_secret_provider_zookeeper_auth_type

true

Authentication Secret Signer ZooKeeper Path

Authentication Secret Signer ZooKeeper path. Is required to be set for KMS High Availability deployments

hadoop.kms.authentication.signer.secret.provider.zookeeper.path

/kmsZKRoot

hadoop_kms_authentication_signer_secret_provider_zookeeper_path

true

Authentication Type

Authentication type for the KMS. Can either be "simple" or "kerberos".

hadoop.kms.authentication.type

simple

hadoop_kms_authentication_type

true

KMS Load Balancer

Key Management Store Load Balancer, used with multiple KMS roles (KMS high availability). In CDH 5.4 and higher, this Key Trustee
KMS service typically has the ZooKeeper dependency set, and this property is left blank. In this case, the ZooKeeper-based high availability URL is automatically generated for clients. To use an
external load balancer, specify the URL to that load balancer. When using the ZooKeeper-based load balancer, all KMS roles must listen on the same port.

kms_load_balancer

kms_load_balancer

false

ZooKeeper Service

Name of the ZooKeeper service that this Key Trustee KMS service instance depends on